Title: ReqLock
Author: RACKSET
Published: <strong>June 8, 2026</strong>
Last modified: June 8, 2026

---

Search plugins

![](https://ps.w.org/reqlock/assets/banner-772x250.png?rev=3564939)

![](https://ps.w.org/reqlock/assets/icon-256x256.png?rev=3564939)

# ReqLock

 By [RACKSET](https://profiles.wordpress.org/rackset/)

[Download](https://downloads.wordpress.org/plugin/reqlock.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/reqlock/#description)
 * [Reviews](https://wordpress.org/plugins/reqlock/#reviews)
 *  [Installation](https://wordpress.org/plugins/reqlock/#installation)
 * [Development](https://wordpress.org/plugins/reqlock/#developers)

 [Support](https://wordpress.org/support/plugin/reqlock/)

## Description

**ReqLock** — also written **RequestLock** or **Request Lock** — is an outbound (
egress)
 firewall for WordPress. It controls every call your site makes _out_ to
the internet, on both sides of the request: the **server** (PHP / WP HTTP API) and
the **browser** (the HTML your pages render). One master switch puts your site fully
in control of its own outbound traffic.

Modern WordPress sites are noisy: update checks, license pings, analytics, tag managers,

external fonts, embedded widgets, AI APIs, and assorted “phone-home” calls all reach
out to servers you don’t control. When those servers are slow, blocked, or down,
your pages and your dashboard pay the price — and every one of them is a place your
visitors’ data leaks out. ReqLock lets you shut that traffic off at will, instantly
and reversibly, without editing theme files or hunting down plugins.

**One switch, four jobs:**

 * **Resilience** — keep the site working when the external internet is **cut or
   restricted**
    (outages, regional shutdowns, upstream failures). Pages serve from
   local assets and wp-admin stops hanging on dead requests.
 * **Performance** — slow or unreachable third-party calls **fail instantly** instead
   of
    stalling front-end and back-end page loads on long timeouts.
 * **Privacy** — strip analytics, trackers, external fonts, and phone-home requests
   so nothing
    about your visitors leaves the server.
 * **Development** — turn any install into a self-contained, **offline-capable**
   environment:
    no external calls, no tracking from a staging copy, no waiting 
   on remote APIs while you work.

#### Use cases

 * **Outage / shutdown resilience.** When upstream connectivity is throttled or 
   blocked, a
    normal WordPress site stalls on every external call. Flip ReqLock
   on and the site keeps serving from local resources — admin included.
 * **Speeding up a sluggish site.** A single slow analytics or font host can add
   seconds to
    every page load. ReqLock makes those calls fail fast instead of blocking
   the render.
 * **Privacy / no-tracking deployments.** Run a site that provably makes no third-
   party
    requests — useful for privacy-first projects, internal tools, and compliance-
   sensitive setups.
 * **Local & staging development.** Clone production to a laptop or staging box 
   and ReqLock
    keeps it from phoning home: no analytics fired from a test copy,
   no license pings, no WordPress.org update checks slowing down `wp-admin` while
   you build. The site behaves the same with the network unplugged — ideal for offline
   coding, demos, and air-gapped boxes.
 * **Auditing what a site talks to.** The Detected-hosts panel logs every external
   host the
    site reaches, so you can see exactly who your themes and plugins contact—
   then decide what to allow and what to cut.

#### What it blocks

**Server-side (PHP / WP HTTP API)**

 * Outbound `wp_remote_*` requests to external hosts: WordPress.org update/version
   checks,
    analytics, AI APIs (OpenAI, Gemini), remote fonts, license/phone-home
   pings, etc. They fail instantly instead of timing out.

**Browser-side (rendered HTML)**

 * External `<script src>` and external `<link rel="stylesheet">` (e.g. Google Fonts)
 * Resource hints: `preconnect` / `dns-prefetch` / `preload` / `prefetch`
 * External `<iframe>` (replaced with a clean local placeholder)
 * Inline analytics snippets: Google Analytics / Tag Manager, Microsoft Clarity,
   Ahrefs,
    Meta Pixel, Hotjar, Yandex, TikTok, Pinterest, LinkedIn, Twitter/X, 
   Snap, Segment, Plausible
 * Optional: external `<img>` (transparent placeholder)

#### Key behavior

 * Your own domain and all its subdomains are **always allowed**.
 * **Allow-list** for any other hosts that must stay reachable.
 * **Detected-hosts panel** logs every external host seen, so you can build the 
   allow-list fast.
 * **Per-category toggles** — turn each blocking layer on/off independently.
 * **wp-config conflict control** — detects a hard-coded `WP_HTTP_BLOCK_EXTERNAL`
   constant and
    lets you disarm it (comment it out) or re-arm it (restore it) in
   one click, so ReqLock is the single switch for external blocking. Edits are reversible,
   integrity-checked, and atomic.
 * **Inert when OFF** — with the master switch off, the plugin does nothing, so 
   it is safe to
    keep installed and flip on only when needed.
 * **Works over full-page caches** — the output filter runs as the outermost buffer,
   so it
    covers cached page views too.

### Credits

Developed and maintained by the Rackset DevOps Team — https://rackset.com

## Screenshots

[⌊The ReqLock settings page — master switch, per-category toggles, allow-list, and
the detected-hosts panel.⌉⌊The ReqLock settings page — master switch, per-category
toggles, allow-list, and the detected-hosts panel.⌉[

The ReqLock settings page — master switch, per-category toggles, allow-list, and
the detected-hosts panel.

## Installation

 1. Upload the `reqlock` folder to `/wp-content/plugins/`, or install the ZIP from **
    Plugins  Add New  Upload Plugin**.
 2. Activate **ReqLock** from the **Plugins** screen.
 3. Go to **Settings  ReqLock**.
 4. Turn the **master switch ON** when you want to block external requests (during 
    an outage, to cut slow/tracking calls, or to take a dev/staging copy offline). 
    It is **OFF** by default, so activation alone changes nothing.

## FAQ

### Will activating it break my site?

No. With the master switch OFF the plugin is completely inert. Even when ON, your
own domain and its subdomains are always allowed.

### When should I turn the master switch ON?

Any time you want to cut the site off from external services: during an internet
outage/restriction, to stop slow third-party calls from dragging down load times,
to strip trackers for privacy, or to take a staging/local copy fully offline while
you develop.

### Can I use it to develop offline?

Yes — that’s a core use case. Turn the master switch ON and the install stops reaching
out to WordPress.org, analytics, license servers, fonts, and other remote hosts.
Your local or staging site then loads and behaves the same with the network unplugged,
and never fires tracking or phone-home calls from a non-production copy.

### Does it work with caching plugins?

Yes. The output filter runs as the outermost output buffer, so it also filters cached
page views (tested with full-page cache plugins).

### Does it affect wp-admin?

Server-side request blocking applies everywhere (which makes the admin faster when
the network is down). Browser-side HTML sanitizing runs on the front-end by default;
you can optionally enable it for wp-admin too.

### How do I keep one external service working while blocking the rest?

Add its host to the Allow-list. The Detected-hosts panel lists everything ReqLock
sees, so you can copy hosts from there.

### What about custom PHP scripts that bypass WordPress?

Standalone scripts that use raw `curl`/`file_get_contents` outside WordPress are
not interceptable by a plugin and must guard their own external calls.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“ReqLock” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ RACKSET ](https://profiles.wordpress.org/rackset/)

“ReqLock” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/reqlock/contributors)
for their contributions.

[Translate “ReqLock” into your language.](https://translate.wordpress.org/projects/wp-plugins/reqlock)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/reqlock/), check out
the [SVN repository](https://plugins.svn.wordpress.org/reqlock/), or subscribe to
the [development log](https://plugins.trac.wordpress.org/log/reqlock/) by [RSS](https://plugins.trac.wordpress.org/log/reqlock/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial public release.
 * Server-side blocking of outbound WP HTTP API requests to external hosts (with
   allow-list).
 * Browser-side sanitization: external scripts, styles, resource hints, iframes,
   inline analytics, and (optional) images.
 * wp-config conflict control: detect, disarm, and re-arm a hard-coded `WP_HTTP_BLOCK_EXTERNAL`
   constant.
 * Output filter runs as the outermost buffer, so it covers full-page-cache hits.
 * Per-category toggles, allow-list, detected-hosts log, and an admin-bar active-
   mode indicator.
 * Translations: English, 日本語 (Japanese), 简体中文 (Simplified Chinese), Español,
   Deutsch, Français, فارسی (Persian).

## Meta

 *  Version **1.0.0**
 *  Last updated **21 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.2 or higher **
 *  Languages
 * [Chinese (China)](https://cn.wordpress.org/plugins/reqlock/) and [English (US)](https://wordpress.org/plugins/reqlock/).
 *  [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/reqlock)
 * Tags
 * [external requests](https://wordpress.org/plugins/tags/external-requests/)[firewall](https://wordpress.org/plugins/tags/firewall/)
   [offline](https://wordpress.org/plugins/tags/offline/)[performance](https://wordpress.org/plugins/tags/performance/)
   [privacy](https://wordpress.org/plugins/tags/privacy/)
 *  [Advanced View](https://wordpress.org/plugins/reqlock/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/reqlock/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/reqlock/reviews/)

## Contributors

 *   [ RACKSET ](https://profiles.wordpress.org/rackset/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/reqlock/)